Cisco 3.3 User Manual
Page 404
Chapter 10 System Configuration: Authentication and Certificates
About Certification and EAP Protocols
10-24
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
accepted by the secondary Cisco Secure ACS in a replication scheme where
the EAP-FAST master server setting is enabled on the secondary
Cisco Secure ACS.
Tip
In a replicated Cisco Secure ACS environment, use the EAP-FAST master server
feature in conjunction with disallowing automatic PAC provisioning to control
EAP-FAST access to different segments of your network. Without automatic PAC
provisioning, users must request PACs for each network segment.
•
Disabled—When the EAP-FAST master server check box is not selected,
Cisco Secure ACS continues to operate as an EAP-FAST master server until
the first time it receives replicated EAP-FAST components from the primary
Cisco Secure ACS. When “Actual EAP-FAST server status” displays the text
Slave
, Cisco Secure ACS uses the EAP-FAST settings, Authority ID, and
master keys it receives from a primary Cisco Secure ACS during replication,
rather than using master keys it generates and its unique Authority ID.
Note
When you deselect the EAP-FAST master server check box, the
“Actual EAP-FAST server status” remains
Master
until Cisco Secure
ACS receives replicated EAP-FAST components and then the “Actual
EAP-FAST server status” changes to
Slave
. Until “Actual EAP-FAST
server status” changes to
Slave
, Cisco Secure ACS acts as a master
EAP-FAST server, using master keys it generates, its unique
Authority ID, and the EAP-FAST settings configured in its HTML
interface.
Disabling the EAP-FAST master server setting eliminates the need for
providing a different PAC from the primary and secondary Cisco Secure
ACSes. This is because the primary and secondary Cisco Secure ACSes send
the end-user client the same Authority ID at the beginning of the EAP-FAST
transaction; therefore, the end-user client uses the same PAC in its response
to either Cisco Secure ACS. Also, a PAC generated for a user by one
Cisco Secure ACS in a replication scheme where the EAP-FAST master
server setting is disabled is accepted by all other Cisco Secure ACSes in the
same replication scheme.
For more information about replication, see